[go: up one dir, main page]

CN102255916A - Access authentication method, device, server and system - Google Patents

Access authentication method, device, server and system Download PDF

Info

Publication number
CN102255916A
CN102255916A CN201110210884XA CN201110210884A CN102255916A CN 102255916 A CN102255916 A CN 102255916A CN 201110210884X A CN201110210884X A CN 201110210884XA CN 201110210884 A CN201110210884 A CN 201110210884A CN 102255916 A CN102255916 A CN 102255916A
Authority
CN
China
Prior art keywords
access
authentication
network
message
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201110210884XA
Other languages
Chinese (zh)
Inventor
马迪
王利明
田野
沈烁
王伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Computer Network Information Center of CAS
Original Assignee
Computer Network Information Center of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Computer Network Information Center of CAS filed Critical Computer Network Information Center of CAS
Priority to CN201110210884XA priority Critical patent/CN102255916A/en
Publication of CN102255916A publication Critical patent/CN102255916A/en
Priority to PCT/CN2011/083703 priority patent/WO2013013481A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例提供一种接入认证方法、设备、服务器及系统。方法包括:网络接入设备向接入认证服务器发送接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的EI;接收所述接入认证服务器返回的认证应答消息。本发明实施例通过网络接入设备IP地址中包括的唯一标识网络接入设备身份的EI对网络接入设备进行认证以及接入控制,使得无论接入环境和位置如何改变,网络接入设备IP地址中包含的EI不会变,进而避免了现有的认证方法中存在的因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。

Figure 201110210884

Embodiments of the present invention provide an access authentication method, device, server and system. The method includes: a network access device sends an access authentication request to an access authentication server, the source IP address of the access authentication request includes the EI of the network access device; receiving an authentication response message returned by the access authentication server . The embodiment of the present invention uses the EI that uniquely identifies the identity of the network access device included in the IP address of the network access device to perform authentication and access control on the network access device, so that no matter how the access environment and location change, the IP address of the network access device The EI contained in the address will not change, thereby avoiding the problem in the existing authentication method that it is difficult to trace the source of the network access device due to the change of the expression form of the identity information of the network access device.

Figure 201110210884

Description

接入认证方法、设备、服务器及系统Access authentication method, device, server and system

技术领域 technical field

本发明实施例涉及通信技术领域,尤其是一种接入认证方法、设备、服务器及系统。The embodiments of the present invention relate to the technical field of communication, in particular, an access authentication method, device, server and system.

背景技术 Background technique

出于管理和计费的需求,互联网的接入服务提供者需要对网络接入设备进行认证和访问控制,其认证方法分为两类:第一类是对网络接入设备的物理信息进行认证,例如MAC地址,然后将分配的IP地址同物理信息绑定起来;第二类是对网络接入设备的账号信息进行认证,认证通过后再进行IP地址的分配和相关信息的绑定。第一类认证方法和具体的接入环境相关,一旦网络接入设备变更接入位置,其身份信息的表现形式就发生了变化;第二类认证方法和应用层协议相关,不同接入网不同的接入方式可能要求网络接入设备支持不同的认证协议,会导致网络接入设备安装不同的认证客户端,如PPPoE,802.1x等等,其身份信息的表现形式也就发生了变化。当网络接入设备身份信息的表现形式发生了变化时,会使得之前的认证失效,而难以对变化后的网络接入设备行为进行溯源审计。For management and billing requirements, Internet access service providers need to perform authentication and access control on network access devices. The authentication methods are divided into two categories: the first type is to authenticate the physical information of network access devices , such as the MAC address, and then bind the assigned IP address with physical information; the second type is to authenticate the account information of the network access device, and then assign the IP address and bind related information after the authentication is passed. The first type of authentication method is related to the specific access environment. Once the network access device changes the access location, the form of its identity information will change; the second type of authentication method is related to the application layer protocol, and different access networks are different. Different access methods may require network access devices to support different authentication protocols, which will cause network access devices to install different authentication clients, such as PPPoE, 802.1x, etc., and the representation of identity information will also change. When the expression form of the identity information of the network access device changes, the previous authentication will be invalidated, and it is difficult to trace the source of the changed behavior of the network access device.

因此,现有的认证方法,都存在因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。Therefore, the existing authentication methods all have the problem that it is difficult to trace and audit the network access device due to the change of the expression form of the identity information of the network access device.

发明内容 Contents of the invention

本发明实施例提供一种接入认证方法、设备、服务器及系统,避免现有的认证方法存在的因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。Embodiments of the present invention provide an access authentication method, device, server, and system, which avoids the problem of difficulty in performing traceability audits on network access devices due to changes in the form of identity information of network access devices existing in existing authentication methods .

一方面,本发明实施例提供一种接入认证方法,包括:On the one hand, an embodiment of the present invention provides an access authentication method, including:

网络接入设备向接入认证服务器发送接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的实体标识符EI;The network access device sends an access authentication request to the access authentication server, and the source IP address of the access authentication request includes the entity identifier EI of the network access device;

接收所述接入认证服务器返回的认证应答消息。Receive an authentication response message returned by the access authentication server.

另一方面,本发明实施例还提供一种接入认证方法,包括:On the other hand, the embodiment of the present invention also provides an access authentication method, including:

接收网络接入设备发送的接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的实体标识符EI;receiving an access authentication request sent by the network access device, where the source IP address of the access authentication request includes the entity identifier EI of the network access device;

根据所述源IP地址中的EI对所述网络接入设备进行认证。Authenticate the network access device according to the EI in the source IP address.

另一方面,本发明实施例还提供一种接入认证方法,包括:On the other hand, the embodiment of the present invention also provides an access authentication method, including:

接收接入认证服务器发送的注册消息,所述注册消息包含网络接入设备的实体标识符EI;Receive a registration message sent by the access authentication server, where the registration message includes the entity identifier EI of the network access device;

根据所述注册信息生成包含所述EI的访问控制记录,将所述访问控制记录写入访问控制列表以允许所述网络接入设备接入网络;generating an access control record containing the EI according to the registration information, and writing the access control record into an access control list to allow the network access device to access the network;

向所述接入认证服务器发送注册应答消息。Sending a registration response message to the access authentication server.

另一方面,本发明实施例提供一种网络接入设备,包括:On the other hand, an embodiment of the present invention provides a network access device, including:

认证请求模块,用于向接入认证服务器发送包含接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的实体标识符EI;An authentication request module, configured to send an access authentication request to the access authentication server, where the source IP address of the access authentication request includes the entity identifier EI of the network access device;

第一接收模块,用于接收所述接入认证服务器返回的认证应答消息。The first receiving module is configured to receive an authentication response message returned by the access authentication server.

另一方面,本发明实施例提供一种接入认证服务器,包括:On the other hand, an embodiment of the present invention provides an access authentication server, including:

第二接收模块,用于接收网络接入设备发送的接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的实体标识符EI;The second receiving module is configured to receive an access authentication request sent by the network access device, where the source IP address of the access authentication request includes the entity identifier EI of the network access device;

认证模块,用于根据所述源IP地址中的EI对所述网络接入设备进行认证。An authentication module, configured to authenticate the network access device according to the EI in the source IP address.

另一方面,本发明实施例提供一种接入控制设备,包括:On the other hand, an embodiment of the present invention provides an access control device, including:

第三接收模块,用于接收接入认证服务器发送的注册信息,所述注册信息包含网络接入设备的实体标识符EI;A third receiving module, configured to receive registration information sent by the access authentication server, where the registration information includes the entity identifier EI of the network access device;

访问控制模块,用于根据所述注册信息生成包含所述EI的访问控制记录,将所述访问控制记录写入访问控制列表以允许所述网络接入设备接入网络;An access control module, configured to generate an access control record containing the EI according to the registration information, and write the access control record into an access control list to allow the network access device to access the network;

第三发送模块,用于向所述接入认证服务器发送注册应答消息。A third sending module, configured to send a registration response message to the access authentication server.

再一方面,本发明实施例提供一种接入认证系统,包括:依次连接的如上所述的网络接入设备、接入控制设备和接入认证服务器。In yet another aspect, an embodiment of the present invention provides an access authentication system, including: the above-mentioned network access device, access control device, and access authentication server connected in sequence.

本发明通过网络接入设备IP地址中包括的唯一标识网络接入设备身份的实体标识符EI对网络接入设备进行认证以及接入控制,使得无论接入环境和位置如何改变,网络接入设备IP地址中包含的EI不会变,进而避免了现有的认证方法中存在的因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。The present invention uses the entity identifier EI that uniquely identifies the identity of the network access device included in the IP address of the network access device to perform authentication and access control on the network access device, so that no matter how the access environment and location change, the network access device The EI contained in the IP address will not change, thereby avoiding the problem in the existing authentication method that it is difficult to perform traceability audit on the network access device due to the change of the expression form of the identity information of the network access device.

附图说明 Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单的介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will give a brief introduction to the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings without any creative effort.

图1为本发明实施例提供的一种接入认证方法实施例一的流程示意图。FIG. 1 is a schematic flowchart of Embodiment 1 of an access authentication method provided by an embodiment of the present invention.

图2为本发明实施例提供的一种接入认证方法实施例二的流程示意图。FIG. 2 is a schematic flowchart of Embodiment 2 of an access authentication method provided by an embodiment of the present invention.

图3为本发明实施例提供的一种接入认证方法实施例三的流程示意图。FIG. 3 is a schematic flowchart of Embodiment 3 of an access authentication method provided by an embodiment of the present invention.

图4为本发明实施例提供的一种接入认证方法实施例四的流程示意图。FIG. 4 is a schematic flowchart of Embodiment 4 of an access authentication method provided by an embodiment of the present invention.

图5为本发明实施例提供的一种接入认证方法实施例五的信令流程图。FIG. 5 is a signaling flowchart of Embodiment 5 of an access authentication method provided by an embodiment of the present invention.

图6为本发明实施例提供的一种网络接入设备实施例的结构示意图。Fig. 6 is a schematic structural diagram of an embodiment of a network access device provided by an embodiment of the present invention.

图7为本发明实施例提供的一种接入认证服务器实施例的结构示意图。FIG. 7 is a schematic structural diagram of an embodiment of an access authentication server provided by an embodiment of the present invention.

图8为本发明实施例提供的一种接入控制设备实施例的结构示意图。Fig. 8 is a schematic structural diagram of an embodiment of an access control device provided by an embodiment of the present invention.

图9为本发明实施例提供的一种接入认证系统实施例的结构示意图。FIG. 9 is a schematic structural diagram of an embodiment of an access authentication system provided by an embodiment of the present invention.

具体实施方式 Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are the Some, but not all, embodiments are invented. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

本发明的主要思路是:提出一种面向网络接入实体IP地址中实体标识符(Entity Identifier,以下简称EI)的接入认证方法。以IPv6地址为例,IPv6地址是互联网IPv6协议使用的地址类型,长度128位。根据IETF的规定,目前IPv6地址最多前64位可用于子网前缀的标识,称之为网络前缀,路由器根据网络前缀选择转发路径。EI的特征包括:1)全局唯一性,EI唯一地标识网络接入实体,不随接入位置和时间的变化而变化;2)EI绑定信息的可验证性,EI分配者负责提供绑定在EI上的身份信息的查询和验证。本发明实施例通过在IPv6地址的后64位中携带网络接入实体的EI,使得可以基于IP地址标识使用该IP地址的网络接入实体。通过对IP地址中EI的验证,本发明实施例解决了现有的认证方法存在的因网络接入实体身份信息的表现形式发生变化而难以对网络接入实体进行溯源审计的问题,并为源IP地址验证提供了支持。The main idea of the present invention is to propose an access authentication method oriented to an entity identifier (Entity Identifier, hereinafter referred to as EI) in the IP address of a network access entity. Taking an IPv6 address as an example, an IPv6 address is an address type used by the Internet IPv6 protocol, and its length is 128 bits. According to the regulations of IETF, at most the first 64 bits of an IPv6 address can be used to identify the subnet prefix, which is called the network prefix, and the router selects the forwarding path according to the network prefix. The characteristics of EI include: 1) global uniqueness, EI uniquely identifies the network access entity, and does not change with the change of access location and time; 2) verifiability of EI binding information, EI allocator is responsible for providing Inquiry and verification of identity information on EI. In the embodiment of the present invention, by carrying the EI of the network access entity in the last 64 bits of the IPv6 address, the network access entity using the IP address can be identified based on the IP address. Through the verification of the EI in the IP address, the embodiment of the present invention solves the problem in the existing authentication method that it is difficult to trace the source of the network access entity due to the change of the expression form of the identity information of the network access entity. IP address verification is supported.

图1为本发明实施例提供的一种接入认证方法实施例一的流程示意图。如图1所示,该方法包括:FIG. 1 is a schematic flowchart of Embodiment 1 of an access authentication method provided by an embodiment of the present invention. As shown in Figure 1, the method includes:

步骤101、网络接入设备向接入认证服务器发送接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的EI;Step 101, the network access device sends an access authentication request to the access authentication server, and the source IP address of the access authentication request includes the EI of the network access device;

这里的接入认证请求的源IP即所述网络接入设备的IP地址。这里的EI可以是网络接入设备在接入网络之前通过带外机制分配得到的,具体在分配时可以将该EI与网络接入设备和/或网络接入设备的使用者的身份信息绑定,本实施例对此不作限定。应用中,网络接入设备的IP地址通常还包含子网前缀,请求子网前缀等接入参数是网络接入设备接入互联网的必要步骤,这里的网络接入设备可以通过路由通告或动态主机设置协议(Dynamic HostConfiguration Protocol,简称DHCP)请求获得所述子网前缀。Here, the source IP of the access authentication request is the IP address of the network access device. The EI here can be allocated by the network access device through an out-of-band mechanism before accessing the network. Specifically, the EI can be bound with the identity information of the network access device and/or the user of the network access device during distribution. , which is not limited in this embodiment. In the application, the IP address of the network access device usually includes a subnet prefix. Requesting access parameters such as the subnet prefix is a necessary step for the network access device to access the Internet. Here, the network access device can use route notification or dynamic host A configuration protocol (Dynamic Host Configuration Protocol, DHCP for short) requests to obtain the subnet prefix.

另外,网络接入设备可以从广播消息中获取接入认证服务器的地址。In addition, the network access device can acquire the address of the access authentication server from the broadcast message.

步骤102、接收所述接入认证服务器返回的认证应答消息。Step 102: Receive an authentication response message returned by the access authentication server.

若认证应答消息指示认证通过,则所述网络接入设备可以接入网络,若认证应答消息指示认证未通过,则所述网络接入设备无法接入网络。If the authentication response message indicates that the authentication is passed, the network access device can access the network, and if the authentication response message indicates that the authentication fails, the network access device cannot access the network.

本发明实施例通过网络接入设备IP地址中包括的唯一标识网络接入设备身份的EI对网络接入设备进行认证以及接入控制,使得无论接入环境和位置如何改变,网络接入设备IP地址中包含的EI不会变,进而避免了现有的认证方法中存在的因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。The embodiment of the present invention uses the EI that uniquely identifies the identity of the network access device included in the IP address of the network access device to perform authentication and access control on the network access device, so that no matter how the access environment and location change, the IP address of the network access device The EI contained in the address will not change, thereby avoiding the problem in the existing authentication method that it is difficult to trace the source of the network access device due to the change of the expression form of the identity information of the network access device.

图2为本发明实施例提供的一种接入认证方法实施例二的流程示意图。如图2所示,该方法包括:FIG. 2 is a schematic flowchart of Embodiment 2 of an access authentication method provided by an embodiment of the present invention. As shown in Figure 2, the method includes:

步骤201、接收网络接入设备发送的接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的EI;Step 201: Receive an access authentication request sent by a network access device, where the source IP address of the access authentication request includes the EI of the network access device;

步骤202、根据所述源IP地址中的EI对所述网络接入设备进行认证。Step 202, authenticate the network access device according to the EI in the source IP address.

这里的接入认证服务器可以从给所述网络接入设备分配该EI的第三方设备获取所述EI对应的授权信息,具体的第三方设备与接入认证服务器之间如何进行授权信息的同步,本实施例不作限定。应用中,若认证通过则接入认证服务器可以向网络接入设备返回指示认证成功的认证应答消息,并指示接入控制设备允许该网络接入设备接入网络;若认证不通过,还可以在所述指示认证失败的认证应答消息中携带认证失败的错误代码,指示网络接入设备由于何种原因认证不通过;本实施例对此不作限定。Here, the access authentication server can obtain the authorization information corresponding to the EI from the third-party device that allocates the EI to the network access device. Specifically, how to synchronize the authorization information between the third-party device and the access authentication server, This embodiment is not limited. In the application, if the authentication is passed, the access authentication server can return an authentication response message indicating that the authentication is successful to the network access device, and instruct the access control device to allow the network access device to access the network; The authentication response message indicating authentication failure carries an error code of authentication failure, indicating the reason why the network access device fails to pass the authentication; this embodiment does not limit it.

本发明实施例通过网络接入设备IP地址中包括的唯一标识网络接入设备身份的EI对网络接入设备进行认证以及接入控制,使得无论接入环境和位置如何改变,网络接入设备IP地址中包含的EI不会变,进而避免了现有的认证方法中存在的因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。The embodiment of the present invention uses the EI that uniquely identifies the identity of the network access device included in the IP address of the network access device to perform authentication and access control on the network access device, so that no matter how the access environment and location change, the IP address of the network access device The EI contained in the address will not change, thereby avoiding the problem in the existing authentication method that it is difficult to trace the source of the network access device due to the change of the expression form of the identity information of the network access device.

图3为本发明实施例提供的一种接入认证方法实施例三的流程示意图。如图3所示,该方法包括:FIG. 3 is a schematic flowchart of Embodiment 3 of an access authentication method provided by an embodiment of the present invention. As shown in Figure 3, the method includes:

步骤301、接收接入认证服务器发送的注册消息,所述注册消息包含网络接入设备的EI;Step 301. Receive a registration message sent by an access authentication server, where the registration message includes the EI of the network access device;

步骤302、根据所述注册信息生成包含所述EI的访问控制记录,将所述访问控制记录写入访问控制列表以允许所述网络接入设备接入网络;Step 302: Generate an access control record containing the EI according to the registration information, and write the access control record into an access control list to allow the network access device to access the network;

步骤303、向所述接入认证服务器发送注册应答消息。Step 303: Send a registration response message to the access authentication server.

这里的接入控制设备是所述网路接入设备接入网络的必经设备,通常接入认证请求也会先到达接入控制设备,接入控制设备识别出这是一个接入认证请求后会将该接入认证请求放行,发到接入认证服务器。应用中,若步骤302成功执行,则步骤303中的注册应答消息指示注册成功,若步骤302未成功执行,则步骤303中的注册应答消息指示注册失败,进一步地,还可以在注册应答消息中反馈错误代码,以便调试。The access control device here is the necessary device for the network access device to access the network. Usually, the access authentication request will also reach the access control device first. After the access control device recognizes that this is an access authentication request The access authentication request will be released and sent to the access authentication server. In the application, if step 302 is successfully executed, the registration response message in step 303 indicates that the registration is successful; if step 302 is not successfully executed, the registration response message in step 303 indicates that the registration failed. Further, the registration response message can also be Feedback error codes for debugging.

本发明实施例通过网络接入设备IP地址中包括的唯一标识网络接入设备身份的EI对网络接入设备进行认证以及接入控制,使得无论接入环境和位置如何改变,网络接入设备IP地址中包含的EI不会变,进而避免了现有的认证方法中存在的因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。The embodiment of the present invention uses the EI that uniquely identifies the identity of the network access device included in the IP address of the network access device to perform authentication and access control on the network access device, so that no matter how the access environment and location change, the IP address of the network access device The EI contained in the address will not change, thereby avoiding the problem in the existing authentication method that it is difficult to trace the source of the network access device due to the change of the expression form of the identity information of the network access device.

图4为本发明实施例提供的一种接入认证方法实施例四的流程示意图。如图4所示,该方法包括:FIG. 4 is a schematic flowchart of Embodiment 4 of an access authentication method provided by an embodiment of the present invention. As shown in Figure 4, the method includes:

步骤401、网络接入设备获取分配的EI和所述EI对应的私钥;Step 401, the network access device acquires the allocated EI and the private key corresponding to the EI;

这里的私钥在分配所述EI时获得的。Here the private key is obtained when the EI is distributed.

步骤402、所述网络接入设备接入网络,获取子网前缀;Step 402, the network access device accesses the network, and acquires a subnet prefix;

步骤403、根据所述子网前缀和所述EI生成自身的IP地址;Step 403, generating its own IP address according to the subnet prefix and the EI;

步骤404、生成接入认证请求,并根据所述私钥对所述接入认证请求进行签名,将所述签名后的接入认证请求发送给接入认证服务器;Step 404: Generate an access authentication request, sign the access authentication request according to the private key, and send the signed access authentication request to the access authentication server;

这里的接入认证请求的源IP地址即为步骤403中生成的IP地址,也就是说,接入认证请求的源IP地址包含所述EI。Here, the source IP address of the access authentication request is the IP address generated in step 403, that is, the source IP address of the access authentication request includes the EI.

步骤405、所述接入认证服务器获取所述接入认证请求中的EI对应的授权信息,所述授权信息包含所述EI和与所述私钥对应的公钥;Step 405, the access authentication server obtains authorization information corresponding to the EI in the access authentication request, the authorization information includes the EI and the public key corresponding to the private key;

步骤406、所述接入认证服务器根据所述授权信息对所述接入认证请求进行验证,若验证不通过则执行步骤407,若验证通过则执行步骤408;Step 406, the access authentication server verifies the access authentication request according to the authorization information, if the verification fails, execute step 407, and if the verification passes, execute step 408;

步骤407、向所述网络接入设备返回指示认证失败的认证应答消息,结束。Step 407: Return an authentication response message indicating authentication failure to the network access device, and end.

步骤408、生成所述网络接入设备的注册信息,所述注册信息包含所述EI;Step 408: Generate registration information of the network access device, where the registration information includes the EI;

步骤409、向接入控制设备发送所述注册信息;Step 409, sending the registration information to the access control device;

这里通过所述注册信息指示所述接入控制设备允许所述网络接入设备接入网络。Here, the registration information is used to instruct the access control device to allow the network access device to access the network.

步骤410、所述接入控制设备根据所述注册信息生成包含所述EI的访问控制记录,将所述访问控制记录写入访问控制列表以允许所述网络接入设备接入网络;Step 410, the access control device generates an access control record containing the EI according to the registration information, and writes the access control record into an access control list to allow the network access device to access the network;

步骤411、向所述接入认证服务器反馈指示注册成功的注册应答消息;Step 411, feeding back a registration response message indicating successful registration to the access authentication server;

步骤412、所述接入认证服务器接收到所述注册应答消息后,向所述网络接入设备返回指示认证成功的认证应答消息。Step 412: After receiving the registration response message, the access authentication server returns an authentication response message indicating successful authentication to the network access device.

为了对网络接入设备的接入行为进行更进一步的控制,步骤408中的注册信息除了EI之外,还可以包括所述网络接入设备的接入有效时间、接入密钥、介质接入控制(Media Access Control,简称MAC)地址、端口号中任何一种或两种都包括。对应地,当步骤408中的注册信息包括接入有效时间、接入密钥、MAC地址或端口号时,步骤410中的访问控制记录和步骤412中的认证应答消息中也相应地包含接入有效时间、接入密钥、MAC地址或端口号。In order to further control the access behavior of the network access device, in addition to the EI, the registration information in step 408 may also include the access validity time, access key, and medium access time of the network access device. Either or both of the control (Media Access Control, MAC) address and port number are included. Correspondingly, when the registration information in step 408 includes access valid time, access key, MAC address or port number, the access control record in step 410 and the authentication response message in step 412 also include access Valid time, access key, MAC address or port number.

应用中,接入注册完成后,网络接入设备的EI已经被添加在接入控制设备的访问控制列表里,携带该EI的数据包就可以经由接入控制设备路由至外部网络。在这种场景下,还可以包括:In the application, after the access registration is completed, the EI of the network access device has been added to the access control list of the access control device, and the data packet carrying the EI can be routed to the external network through the access control device. In this scenario, it can also include:

所述网络接入设备发送数据报文,所述数据报文的源IP地址包含所述EI;The network access device sends a data message, and the source IP address of the data message includes the EI;

所述接入控制设备接收所述数据报文,判断所述访问控制列表中是否有包含所述EI的访问控制记录,若有则根据所述访问控制记录对所述数据报文进行处理,若没有则丢弃所述数据报文。The access control device receives the data message, judges whether there is an access control record containing the EI in the access control list, and if so, processes the data message according to the access control record, and if If not, the data packet is discarded.

当然,若在步骤412之前执行上述步骤,则没有对应的访问控制记录,若在步骤412之后,则有对应的访问控制记录。Of course, if the above steps are executed before step 412, there will be no corresponding access control records, and if after step 412, there will be corresponding access control records.

若所述访问控制记录中还包含接入有效时间、接入密钥、MAC地址或端口号,则所述根据所述访问控制记录对所述数据报文进行处理包括对所述数据报文的进一步验证。举例来说,若访问控制记录中包含接入密钥,由于对应地认证应答消息也包含该接入密钥,这种情况下,网络接入设备会根据该接入密钥对数据报文进行签名后发出,对应地,所述接入控制设备接收到该数据报文后,可以根据所述访问控制记录中的接入密钥对所述数据报文的签名进行验证,验证通过后将所述数据报文发送出去,较优地还可以将所述签名去除并将去除签名的数据报文发送出去。具体地,所述接入控制设备可以采用密钥相关的哈希运算消息认证码(keyed-Hash Message AuthenticationCode,简称HMAC)方式对所述数据报文的签名进行验证。若是验证不通过,则丢弃所述数据报文。若访问控制记录中包含MAC地址或端口号,则所述接入网络设备在接收到该数据报文后,还可以获取该数据报文的源MAC地址或接收该数据报文的端口号,以和访问控制记录中的MAC地址或端口号进行比对验证。若访问控制记录中包含接入有效时间,所述接入网络设备在接收到该数据报文后还可以根据接收时间、访问控制记录中的接入有效时间以及该访问控制记录的生成时间,判断该网络接入设备的接入有效时间是否过期,若过期则丢弃该数据报文,若未过期则放行该数据报文。If the access control record also includes access valid time, access key, MAC address or port number, then processing the data packet according to the access control record includes processing the data packet Further verification. For example, if the access control record contains the access key, since the corresponding authentication response message also contains the access key, in this case, the network access device will After the signature is issued, correspondingly, after the access control device receives the data message, it can verify the signature of the data message according to the access key in the access control record, and after the verification passes, the The data message can be sent out, preferably, the signature can also be removed and the data message with the signature removed can be sent out. Specifically, the access control device may verify the signature of the data message in a keyed-Hash Message Authentication Code (keyed-Hash Message Authentication Code, HMAC for short) manner. If the verification fails, the data packet is discarded. If the access control record contains a MAC address or a port number, after receiving the data message, the access network device can also obtain the source MAC address of the data message or the port number for receiving the data message to Compare and verify with the MAC address or port number in the access control record. If the access control record contains the access valid time, after receiving the data message, the access network device can also judge according to the receiving time, the access valid time in the access control record, and the generation time of the access control record Whether the valid access time of the network access device has expired, if expired, the data packet is discarded, and if not expired, the data packet is released.

上述接入密钥由接入认证服务器生成,是网络接入设备和接入控制设备共享的接入密钥,可以提高网络接入设备和接入控制设备间通信数据的安全性。通过所述接入有效时间,可以控制网络接入设备一次认证通过后的接入时间,当接入有效时间过期后网络接入设备需要重新向接入认证服务器请求接入。具体的,重新请求接入的实现方式包括但不限于以下两种:The above-mentioned access key is generated by the access authentication server, is an access key shared by the network access device and the access control device, and can improve the security of communication data between the network access device and the access control device. Through the valid access time, the access time of the network access device after one pass of authentication can be controlled, and when the valid access time expires, the network access device needs to request access to the access authentication server again. Specifically, the implementation of re-requesting access includes but is not limited to the following two:

1)若上次收到的接入注册应答消息中包含接入密钥的话,网络接入设备可以使用所述接入密钥对这次的接入认证请求进行签名,并将包含签名的接入认证请求发送给接入认证服务器;1) If the access registration response message received last time contains the access key, the network access device can use the access key to sign the access authentication request this time, and send the access key containing the signature The incoming authentication request is sent to the access authentication server;

2)私钥签名,也就是采用EI的私钥对接入认证请求进行签名,并将包含签名的接入认证请求发送给接入认证服务器。2) Private key signature, that is, use the private key of the EI to sign the access authentication request, and send the access authentication request including the signature to the access authentication server.

重新请求接入认证后即可以更新接入权限,为了接入安全性,接入认证服务器可以重新生成接入密钥,然后分别通过步骤408中的注册信息和步骤412中的认证应答消息向接入控制设备和网络接入设备分发。After re-requesting the access authentication, the access authority can be updated. For access security, the access authentication server can regenerate the access key, and then report to the access authentication server through the registration information in step 408 and the authentication response message in step 412 respectively. Incoming control equipment and network access equipment distribution.

如果网络接入设备没有在所述接入有效时间过期之前重新向接入认证服务器发送接入认证请求,并成功跟新接入权限,接入认证服务器也可以注销该网络接入设备的接入权限,并通知接入控制设备将该网络接入设备的EI对应的访问控制记录从访问控制列表中删除。If the network access device does not resend an access authentication request to the access authentication server before the valid access time expires, and successfully updates the access authority, the access authentication server can also cancel the access of the network access device. and notify the access control device to delete the access control record corresponding to the EI of the network access device from the access control list.

具体地,接入认证服务器可以判断所述网络接入设备是否在所述接入有效时间过期之前重新进行了认证,若未重新认证则向所述接入控制设备发送包含所述EI的权限过期消息,以指示所述接入控制设备拒绝所述网络接入设备接入网络;对应地,接入控制设备接收所述接入认证请求发送的权限过期消息,所述权限过期消息包含所述EI;根据所述权限过期消息删除包含所述EI的所述访问控制记录。这样的话,接入认证服务器实际上维护了接入网内有效IP地址的数据库,包括IP地址的EI部分,IP地址前缀部分(接入位置)以及该IP地址的有效时间(EI的接入有效时间)以及其他IP地址信息。Specifically, the access authentication server may determine whether the network access device has re-authenticated before the valid access time expires, and if not re-authenticated, send the access control device an authorization expiration message containing the EI. message to instruct the access control device to reject the network access device from accessing the network; correspondingly, the access control device receives the permission expiration message sent by the access authentication request, and the permission expiration message includes the EI ; Delete the access control record containing the EI according to the permission expiration message. In this case, the access authentication server actually maintains a database of valid IP addresses in the access network, including the EI part of the IP address, the prefix part of the IP address (access location) and the valid time of the IP address (the access of the EI is valid). time) and other IP address information.

另外,当注册信息中包含接入密钥时,为了保证接入密钥的机密性,步骤408接入认证服务器还可以通过预先建立安全的信息通道将包含所述接入密钥的注册信息发送给所述接入控制设备。对应地,步骤412中,接入认证服务器还可以以密文的形式将接入密钥携带在认证应答消息中发给网络接入设备。In addition, when the registration information contains the access key, in order to ensure the confidentiality of the access key, the access authentication server in step 408 may also send the registration information containing the access key through a pre-established secure information channel. to the access control device. Correspondingly, in step 412, the access authentication server may also carry the access key in the authentication response message in the form of cipher text and send it to the network access device.

本发明实施例通过网络接入设备IP地址中包括的唯一标识网络接入设备身份的EI对网络接入设备进行认证以及接入控制,使得无论接入环境和位置如何改变,网络接入设备IP地址中包含的EI不会变,进而避免了现有的认证方法中存在的因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。进一步地,通过EI的注册机制,接入控制设备不仅可以确定网络接入实体的身份,还可以将每个数据包同其发送源关联起来,可以有效防止数据包的源地址伪造。The embodiment of the present invention uses the EI that uniquely identifies the identity of the network access device included in the IP address of the network access device to perform authentication and access control on the network access device, so that no matter how the access environment and location change, the IP address of the network access device The EI contained in the address will not change, thereby avoiding the problem in the existing authentication method that it is difficult to trace the source of the network access device due to the change of the expression form of the identity information of the network access device. Furthermore, through the EI registration mechanism, the access control device can not only determine the identity of the network access entity, but also associate each data packet with its sending source, which can effectively prevent the source address of the data packet from being forged.

图5为本发明实施例提供的一种接入认证方法实施例五的信令流程图。如图所示,该方法包括:FIG. 5 is a signaling flowchart of Embodiment 5 of an access authentication method provided by an embodiment of the present invention. As shown, the method includes:

步骤501、网络接入设备接收第一跳路由器发送的接入控制信息通告;Step 501, the network access device receives the access control information announcement sent by the first-hop router;

这里的网络接入设备可以是接入网络的主机等设备。接入控制信息通告中包含接入认证服务器的IP地址。The network access device here may be a device such as a host that accesses the network. The access control information notification includes the IP address of the access authentication server.

步骤502、网络接入设备向接入认证服务器发送接入认证请求;Step 502, the network access device sends an access authentication request to the access authentication server;

这里的接入认证请求包含所述网络接入设备的EI和私钥对该请求的签名;The access authentication request here includes the signature of the EI and private key of the network access device;

步骤503、接入认证服务器对网络接入设备进行身份验证,并选择相关的接入参数;Step 503, the access authentication server performs identity verification on the network access device, and selects relevant access parameters;

这里的接入参数可以包含接入有效时间、接入密钥等。The access parameters here may include access valid time, access key and so on.

步骤504、接入认证服务器向接入控制设备进行所述网络接入设备的接入注册;Step 504, the access authentication server registers the network access device with the access control device;

相当于将所述接入网络设备的注册信息发给接入控制设备,所述注册信息包括网络接入设备的EI,可选地还包括接入认证服务器选择的上述接入参数。It is equivalent to sending the registration information of the network access device to the access control device, where the registration information includes the EI of the network access device, and optionally also includes the above-mentioned access parameters selected by the access authentication server.

步骤505、接入控制设备存储所述网络接入设备的注册信息;Step 505, the access control device stores the registration information of the network access device;

步骤506、接入控制设备向接入认证服务器返回注册应答消息;Step 506, the access control device returns a registration response message to the access authentication server;

步骤507、接入认证服务器存储所述网络接入设备的注册信息;Step 507, the access authentication server stores the registration information of the network access device;

步骤508、接入认证服务器向网络接入设备返回认证应答消息。Step 508, the access authentication server returns an authentication response message to the network access device.

这里的认证应答消息包含EI,可选地还包括接入有效时间、接入密钥等。The authentication response message here includes EI, and optionally also includes access valid time, access key and so on.

本发明实施例通过网络接入设备IP地址中包括的唯一标识网络接入设备身份的EI对网络接入设备进行认证以及接入控制,使得无论接入环境和位置如何改变,网络接入设备IP地址中包含的EI不会变,进而避免了现有的认证方法中存在的因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。The embodiment of the present invention uses the EI that uniquely identifies the identity of the network access device included in the IP address of the network access device to perform authentication and access control on the network access device, so that no matter how the access environment and location change, the IP address of the network access device The EI contained in the address will not change, thereby avoiding the problem in the existing authentication method that it is difficult to trace the source of the network access device due to the change of the expression form of the identity information of the network access device.

图6为本发明实施例提供的一种网络接入设备实施例的结构示意图。如图6所示,该设备包括:Fig. 6 is a schematic structural diagram of an embodiment of a network access device provided by an embodiment of the present invention. As shown in Figure 6, the device includes:

认证请求模块61,用于向接入认证服务器发送包含接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的EI;An authentication request module 61, configured to send an access authentication request to the access authentication server, where the source IP address of the access authentication request includes the EI of the network access device;

第一接收模块62,用于接收所述接入认证服务器返回的认证应答消息。The first receiving module 62 is configured to receive an authentication response message returned by the access authentication server.

在本发明的一个可选的实施例中,接入认证服务器返回的认证应答消息中包含接入密钥,则该设备还包括:In an optional embodiment of the present invention, the authentication response message returned by the access authentication server includes the access key, then the device further includes:

签名模块63,用于用所述接入密钥对数据报文进行签名;A signature module 63, configured to use the access key to sign the data message;

第一发送模块64,用于发送所述签名后的数据报文。The first sending module 64 is configured to send the signed data message.

在本发明的又一可选的实施例中,接入认证服务器返回的认证应答消息中包含接入有效时间,则认证请求模块61还用于,若所述认证应答消息包含接入有效时间,则在所述接入有效时间过期之前,重新向所述接入认证服务器发送所述接入认证请求。In yet another optional embodiment of the present invention, the authentication response message returned by the access authentication server includes the valid access time, and the authentication request module 61 is further configured to, if the authentication response message includes the valid access time, Then, before the valid access time expires, resend the access authentication request to the access authentication server.

应用中,该设备还可以包括:Applications, the device can also include:

前缀获取模块65,用于通过路由通告或DHCP请求获得子网前缀;The prefix obtaining module 65 is used to obtain the subnet prefix through routing notification or DHCP request;

地址生成模块66,用于根据所述子网前缀和所述EI生成所述源IP地址。An address generating module 66, configured to generate the source IP address according to the subnet prefix and the EI.

在本发明的又一可选的实施例中,为了使对网络接入设备的身份验证更可靠,认证请求模块61具体用于,In another optional embodiment of the present invention, in order to make the identity verification of the network access device more reliable, the authentication request module 61 is specifically used to:

获取所述EI的私钥;Obtain the private key of the EI;

生成所述接入认证请求,并根据所述私钥对所述接入认证请求进行签名。Generate the access authentication request, and sign the access authentication request according to the private key.

本实施例的具体实现参照本发明实施例提供的一种接入认证方法实施例一、四或五。本发明实施例通过网络接入设备IP地址中包括的唯一标识网络接入设备身份的EI对网络接入设备进行认证以及接入控制,使得无论接入环境和位置如何改变,网络接入设备IP地址中包含的EI不会变,进而避免了现有的认证方法中存在的因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。For the specific implementation of this embodiment, refer to Embodiments 1, 4 or 5 of an access authentication method provided by the embodiments of the present invention. The embodiment of the present invention uses the EI that uniquely identifies the identity of the network access device included in the IP address of the network access device to perform authentication and access control on the network access device, so that no matter how the access environment and location change, the IP address of the network access device The EI contained in the address will not change, thereby avoiding the problem in the existing authentication method that it is difficult to trace the source of the network access device due to the change of the expression form of the identity information of the network access device.

图7为本发明实施例提供的一种接入认证服务器实施例的结构示意图。如图7所示,该服务器包括:FIG. 7 is a schematic structural diagram of an embodiment of an access authentication server provided by an embodiment of the present invention. As shown in Figure 7, the server includes:

第二接收模块71,用于接收网络接入设备发送的接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的EI;The second receiving module 71 is configured to receive an access authentication request sent by a network access device, where the source IP address of the access authentication request includes the EI of the network access device;

认证模块72,用于根据所述源IP地址中的EI对所述网络接入设备进行认证。An authentication module 72, configured to authenticate the network access device according to the EI in the source IP address.

在本发明的一个可选的实施例中,还包括:In an optional embodiment of the present invention, it also includes:

注册模块73,用于在认证通过后,生成所述网络接入设备的注册信息,所述注册信息包含所述EI;A registration module 73, configured to generate registration information of the network access device after the authentication is passed, the registration information including the EI;

第二发送模块74,用于向接入控制设备发送所述注册消息,以指示所述接入控制设备允许所述网络接入设备接入网络;The second sending module 74 is configured to send the registration message to the access control device, to instruct the access control device to allow the network access device to access the network;

第二接收模块71还用于,接收所述接入控制设备返回的注册应答消息;The second receiving module 71 is also configured to receive a registration response message returned by the access control device;

第二发送模块74还用于,向所述网络接入设备发送认证应答消息,所述认证应答消息包含所述注册消息。The second sending module 74 is further configured to send an authentication response message to the network access device, where the authentication response message includes the registration message.

这里的注册应答消息指示注册成功,认证应答消息指示认证通过。另外,若所述注册应答消息指示注册失败,则第二发送模块74向网络接入设备发的认证应答消息指示认证失败,也就相应地不包含所述注册信息。Here, the registration response message indicates that the registration is successful, and the authentication response message indicates that the authentication is passed. In addition, if the registration response message indicates registration failure, the authentication response message sent by the second sending module 74 to the network access device indicates authentication failure, and correspondingly does not include the registration information.

在本发明的又一可选的实施例中,所述接入认证请求包含所述EI对应的私钥对所述接入认证请求的签名,认证模块72具体用于,In yet another optional embodiment of the present invention, the access authentication request includes a signature of the private key corresponding to the EI to the access authentication request, and the authentication module 72 is specifically used to:

获取所述EI对应的授权信息,所述授权信息包含所述EI和与所述私钥对应的公钥;Obtain authorization information corresponding to the EI, where the authorization information includes the EI and a public key corresponding to the private key;

根据所述授权信息对所述接入认证请求进行验证。Verifying the access authentication request according to the authorization information.

在本发明的又一可选的实施例中,所述注册消息还包含接入有效时间,该服务器还包括:In another optional embodiment of the present invention, the registration message also includes an access valid time, and the server further includes:

权限更新模块75,用于判断所述网络接入设备是否在所述接入有效时间过期之前重新进行了认证,若未重新认证则向所述接入控制设备发送包含所述EI的权限过期消息,以指示所述接入控制设备拒绝所述网络接入设备接入网络。An authority update module 75, configured to determine whether the network access device has re-authenticated before the access valid time expires, and if not re-authenticated, send an authority expiration message containing the EI to the access control device , to instruct the access control device to reject the network access device from accessing the network.

本实施例的具体实现参照本发明实施例提供的一种接入认证方法实施例二、四或五。本发明实施例通过网络接入设备IP地址中包括的唯一标识网络接入设备身份的EI对网络接入设备进行认证以及接入控制,使得无论接入环境和位置如何改变,网络接入设备IP地址中包含的EI不会变,进而避免了现有的认证方法中存在的因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。For the specific implementation of this embodiment, refer to Embodiment 2, 4 or 5 of an access authentication method provided by the embodiment of the present invention. The embodiment of the present invention uses the EI that uniquely identifies the identity of the network access device included in the IP address of the network access device to perform authentication and access control on the network access device, so that no matter how the access environment and location change, the IP address of the network access device The EI contained in the address will not change, thereby avoiding the problem in the existing authentication method that it is difficult to trace the source of the network access device due to the change of the expression form of the identity information of the network access device.

图8为本发明实施例提供的一种接入控制设备实施例的结构示意图。如图8所示,该设备包括:Fig. 8 is a schematic structural diagram of an embodiment of an access control device provided by an embodiment of the present invention. As shown in Figure 8, the device includes:

第三接收模块81,用于接收接入认证服务器发送的注册信息,所述注册信息包含网络接入设备的EI;The third receiving module 81 is configured to receive registration information sent by the access authentication server, where the registration information includes the EI of the network access device;

访问控制模块82,用于根据所述注册信息生成包含所述EI的访问控制记录,将所述访问控制记录写入访问控制列表以允许所述网络接入设备接入网络;An access control module 82, configured to generate an access control record containing the EI according to the registration information, and write the access control record into an access control list to allow the network access device to access the network;

第三发送模块83,用于向所述接入认证服务器发送注册应答消息。The third sending module 83 is configured to send a registration response message to the access authentication server.

在本发明的一个可选的实施例中,第三接收模块81还用于,接收所述网络接入设备发送的数据报文,所述数据报文的源IP地址包含所述EI;In an optional embodiment of the present invention, the third receiving module 81 is also configured to receive a data packet sent by the network access device, where the source IP address of the data packet includes the EI;

对应地,该设备还包括:Correspondingly, the device also includes:

报文处理模块84,用于查找所述访问控制列表中是否有包含所述EI的访问控制记录,若有则根据所述访问控制记录对所述数据报文进行处理,若没有则丢弃所述数据报文。The message processing module 84 is used to find out whether there is an access control record containing the EI in the access control list, if there is, the data message is processed according to the access control record, and if not, the data message is discarded. datagram.

在本发明的又一可选的实施例中,若所述注册信息还包含接入密钥,访问控制模块82具体用于,根据所述注册信息生成包含所述EI和所述接入密钥的访问控制记录;In yet another optional embodiment of the present invention, if the registration information also includes an access key, the access control module 82 is specifically configured to generate an account containing the EI and the access key according to the registration information. access control records;

报文处理模块84具体用于,查找所述访问控制列表中是否有包含所述EI的访问控制记录,若有则根据所述访问控制记录中的所述接入密钥对所述数据报文进行验证,验证通过后将所述数据报文发送出去。The message processing module 84 is specifically used to find out whether there is an access control record containing the EI in the access control list, and if so, pair the data message according to the access key in the access control record. Verification is performed, and the data packet is sent out after the verification is passed.

在本发明的又一可选的实施例中,若所述注册信息还包含接入有效时间,访问控制模块82具体用于,根据所述注册信息生成包含所述EI和所述接入有效时间的访问控制记录;In yet another optional embodiment of the present invention, if the registration information also includes a valid access time, the access control module 82 is specifically configured to generate an account containing the EI and the valid access time according to the registration information. access control records;

报文处理模块84具体用于,判断所述接入有效时间是否过期,若未过期则发送所述数据报文,若过期则丢弃所述数据报文。The message processing module 84 is specifically configured to judge whether the valid access time has expired, send the data message if it has not expired, and discard the data message if it has expired.

进一步地,第三接收模块81还用于,接收所述接入认证服务器发送的包含所述EI的权限过期消息;Further, the third receiving module 81 is further configured to receive a permission expiration message including the EI sent by the access authentication server;

访问控制模块82还用于,根据所述权限过期消息删除包含所述EI和所述接入有效时间的所述访问控制记录。The access control module 82 is further configured to delete the access control record including the EI and the valid access time according to the permission expiration message.

在本发明的又一可选的实施例中,第三接收模块81还用于,接收所述网络接入设备发送的接入认证请求;In yet another optional embodiment of the present invention, the third receiving module 81 is also configured to receive the access authentication request sent by the network access device;

第三发送模块83还用于,将所述接入认证请求发送给所述认证服务器。The third sending module 83 is further configured to send the access authentication request to the authentication server.

本实施例的具体实现参照本发明实施例提供的一种接入认证方法实施例三、四或五。本发明实施例通过网络接入设备IP地址中包括的唯一标识网络接入设备身份的EI对网络接入设备进行认证以及接入控制,使得无论接入环境和位置如何改变,网络接入设备IP地址中包含的EI不会变,进而避免了现有的认证方法中存在的因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。For the specific implementation of this embodiment, refer to Embodiment 3, 4 or 5 of an access authentication method provided by the embodiment of the present invention. The embodiment of the present invention uses the EI that uniquely identifies the identity of the network access device included in the IP address of the network access device to perform authentication and access control on the network access device, so that no matter how the access environment and location change, the IP address of the network access device The EI contained in the address will not change, thereby avoiding the problem in the existing authentication method that it is difficult to trace the source of the network access device due to the change of the expression form of the identity information of the network access device.

图9为本发明实施例提供的一种接入认证系统实施例的结构示意图。如图9所示,该系统包括:依次连接的网络接入设备91、接入控制设备92和接入认证服务器93,其中,网络接入设备91为如本发明实施例提供的一种网络接入设备实施例所述的设备,接入控制设备92为如本发明实施例提供的一种接入控制设备实施例所述的设备,接入认证服务器93为如本发明实施例提供的一种接入认证服务器实施例所述的服务器。FIG. 9 is a schematic structural diagram of an embodiment of an access authentication system provided by an embodiment of the present invention. As shown in Figure 9, the system includes: a network access device 91, an access control device 92, and an access authentication server 93 connected in sequence, wherein the network access device 91 is a network access device provided in an embodiment of the present invention. The device described in the embodiment of the access device, the access control device 92 is the device described in the embodiment of the access control device provided in the embodiment of the present invention, and the access authentication server 93 is a device described in the embodiment of the present invention. Access the server described in the authentication server embodiment.

本实施例的具体实现参照本发明实施例提供的一种接入认证方法实施例一至五。本发明实施例通过网络接入设备IP地址中包括的唯一标识网络接入设备身份的EI对网络接入设备进行认证以及接入控制,使得无论接入环境和位置如何改变,网络接入设备IP地址中包含的EI不会变,进而避免了现有的认证方法中存在的因网络接入设备身份信息的表现形式发生变化而难以对网络接入设备进行溯源审计的问题。For the specific implementation of this embodiment, refer to Embodiments 1 to 5 of an access authentication method provided by the embodiments of the present invention. The embodiment of the present invention uses the EI that uniquely identifies the identity of the network access device included in the IP address of the network access device to perform authentication and access control on the network access device, so that no matter how the access environment and location change, the IP address of the network access device The EI contained in the address will not change, thereby avoiding the problem in the existing authentication method that it is difficult to trace the source of the network access device due to the change of the expression form of the identity information of the network access device.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (29)

1.一种接入认证方法,其特征在于,包括:1. An access authentication method, characterized in that, comprising: 网络接入设备向接入认证服务器发送接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的实体标识符EI;The network access device sends an access authentication request to the access authentication server, and the source IP address of the access authentication request includes the entity identifier EI of the network access device; 接收所述接入认证服务器返回的认证应答消息。Receive an authentication response message returned by the access authentication server. 2.根据权利要求1所述的方法,其特征在于,所述网络接入设备向接入认证服务器发送接入认证请求之前还包括:2. The method according to claim 1, wherein before the network access device sends the access authentication request to the access authentication server, it further includes: 获取所述EI和私钥;Obtain the EI and private key; 生成所述接入认证请求,并根据所述私钥对所述接入认证请求进行签名。Generate the access authentication request, and sign the access authentication request according to the private key. 3.根据权利要求1或2所述的方法,其特征在于,若所述认证应答消息中包含接入密钥,则所述接收所述接入认证服务器返回的认证应答消息之后还包括:3. The method according to claim 1 or 2, wherein, if the authentication response message includes an access key, after receiving the authentication response message returned by the access authentication server, further comprising: 用所述接入密钥对数据报文进行签名;Sign the data message with the access key; 发送所述签名后的数据报文。Send the signed data message. 4.根据权利要求1或2所述的方法,其特征在于,若所述认证应答消息中包含接入有效时间,则所述接收所述接入认证服务器返回的认证应答消息之后还包括:4. The method according to claim 1 or 2, wherein, if the authentication response message includes an access valid time, after receiving the authentication response message returned by the access authentication server, the method further includes: 在所述接入有效时间过期之前,重新向所述接入认证服务器发送所述接入认证请求。Before the valid access time expires, resend the access authentication request to the access authentication server. 5.根据权利要求1或2所述的方法,其特征在于,所述网络接入设备向接入认证服务器发送接入认证请求之前还包括:5. The method according to claim 1 or 2, wherein the network access device further includes before sending the access authentication request to the access authentication server: 根据子网前缀和所述EI生成所述源IP地址。Generate the source IP address according to the subnet prefix and the EI. 6.一种接入认证方法,其特征在于,包括:6. An access authentication method, characterized in that, comprising: 接收网络接入设备发送的接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的实体标识符EI;receiving an access authentication request sent by the network access device, where the source IP address of the access authentication request includes the entity identifier EI of the network access device; 根据所述源IP地址中的EI对所述网络接入设备进行认证。Authenticate the network access device according to the EI in the source IP address. 7.根据权利要求6所述的方法,其特征在于,在认证通过后,所述方法还包括:7. The method according to claim 6, characterized in that, after the authentication is passed, the method further comprises: 生成所述网络接入设备的注册信息,所述注册信息包含所述EI;generating registration information of the network access device, where the registration information includes the EI; 向接入控制设备发送所述注册消息,以指示所述接入控制设备允许所述网络接入设备接入网络;sending the registration message to an access control device to instruct the access control device to allow the network access device to access the network; 接收所述接入控制设备返回的注册应答消息;receiving a registration response message returned by the access control device; 向所述网络接入设备发送认证应答消息,所述认证应答消息包含所述注册消息。sending an authentication response message to the network access device, where the authentication response message includes the registration message. 8.根据权利要求6或7所述的方法,其特征在于,所述接入认证请求包含私钥对所述接入认证请求的签名,所述根据所述源IP地址中的实体标识符对所述网络接入设备进行认证具体包括:8. The method according to claim 6 or 7, wherein the access authentication request includes a signature of a private key on the access authentication request, and the entity identifier pair in the source IP address The authentication of the network access device specifically includes: 获取所述EI对应的授权信息,所述授权信息包含所述EI和与所述私钥对应的公钥;Obtain authorization information corresponding to the EI, where the authorization information includes the EI and a public key corresponding to the private key; 根据所述授权信息对所述接入认证请求进行验证。Verifying the access authentication request according to the authorization information. 9.根据权利要求7所述的方法,其特征在于,所述注册消息包含接入有效时间,所述向所述网络接入设备发送所述认证应答消息之后还包括:9. The method according to claim 7, wherein the registration message includes an access valid time, and after sending the authentication response message to the network access device, it further includes: 判断所述网络接入设备是否在所述接入有效时间过期之前重新进行了认证,若未重新认证则向所述接入控制设备发送包含所述实体标识符的权限过期消息,以指示所述接入控制设备拒绝所述网络接入设备接入网络。judging whether the network access device has re-authenticated before the valid access time expires, and if not re-authenticated, sending a permission expiration message containing the entity identifier to the access control device to indicate that the The access control device rejects the network access device from accessing the network. 10.一种接入认证方法,其特征在于,包括:10. An access authentication method, characterized in that, comprising: 接收接入认证服务器发送的注册消息,所述注册消息包含网络接入设备的实体标识符EI;Receive a registration message sent by the access authentication server, where the registration message includes the entity identifier EI of the network access device; 根据所述注册信息生成包含所述EI的访问控制记录,将所述访问控制记录写入访问控制列表以允许所述网络接入设备接入网络;generating an access control record containing the EI according to the registration information, and writing the access control record into an access control list to allow the network access device to access the network; 向所述接入认证服务器发送注册应答消息。Sending a registration response message to the access authentication server. 11.根据权利要求10所述的方法,其特征在于,还包括:11. The method of claim 10, further comprising: 接收所述网络接入设备发送的数据报文,所述数据报文的源IP地址包含所述EI;receiving a data message sent by the network access device, where the source IP address of the data message includes the EI; 查找所述访问控制列表中是否有包含所述EI的访问控制记录,若有则根据所述访问控制记录对所述数据报文进行处理,若没有则丢弃所述数据报文。Finding whether there is an access control record containing the EI in the access control list, if yes, processing the data packet according to the access control record, and discarding the data packet if not. 12.根据权利要求11所述的方法,其特征在于,若所述注册消息还包含接入密钥,则所述访问控制记录也包含所述接入密钥,所述根据所述访问控制记录对所述数据报文进行处理具体包括:12. The method according to claim 11, wherein if the registration message further includes an access key, the access control record also includes the access key, and the Processing the data message specifically includes: 根据所述访问控制记录中的所述接入密钥对所述数据报文进行验证,若验证通过则发送所述数据报文,若验证不通过则丢弃所述数据报文。Verifying the data message according to the access key in the access control record, sending the data message if the verification is passed, and discarding the data message if the verification is not passed. 13.根据权利要求11所述的方法,其特征在于,若所述注册消息还包含接入有效时间,则所述访问控制记录也包含所述接入有效时间,所述根据所述访问控制记录对所述数据报文进行处理具体包括:13. The method according to claim 11, wherein if the registration message further includes an access valid time, the access control record also includes the access valid time, and the access control record according to the access control record Processing the data message specifically includes: 判断所述接入有效时间是否过期,若未过期则发送所述数据报文,若过期则丢弃所述数据报文。Judging whether the valid access time has expired, sending the data packet if not expired, and discarding the data packet if expired. 14.根据权利要求13所述的方法,其特征在于,所述向所述接入认证服务器发送注册应答消息之后还包括:14. The method according to claim 13, further comprising: after sending the registration response message to the access authentication server: 接收所述接入认证请求发送的权限过期消息,所述权限过期消息包含所述EI;receiving a permission expiration message sent by the access authentication request, where the permission expiration message includes the EI; 根据所述权限过期消息删除包含所述EI的所述访问控制记录。Deleting the access control record including the EI according to the permission expiration message. 15.一种网络接入设备,其特征在于,包括:15. A network access device, characterized in that it comprises: 认证请求模块,用于向接入认证服务器发送包含接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的实体标识符EI;An authentication request module, configured to send an access authentication request to the access authentication server, where the source IP address of the access authentication request includes the entity identifier EI of the network access device; 第一接收模块,用于接收所述接入认证服务器返回的认证应答消息。The first receiving module is configured to receive an authentication response message returned by the access authentication server. 16.根据权利要求15所述的设备,其特征在于,所述认证请求模块具体用于,16. The device according to claim 15, wherein the authentication request module is specifically used for: 获取所述EI和私钥;Obtain the EI and private key; 生成所述接入认证请求,并根据所述私钥对所述接入认证请求进行签名。Generate the access authentication request, and sign the access authentication request according to the private key. 17.根据权利要求15或16所述的设备,其特征在于,若所述认证应答消息中包含接入密钥,则还包括:17. The device according to claim 15 or 16, wherein if the authentication response message includes an access key, it further includes: 签名模块,用于用所述接入密钥对数据报文进行签名;A signature module, configured to sign the data message with the access key; 第一发送模块,用于发送所述签名后的数据报文。A first sending module, configured to send the signed data message. 18.根据权利要求15或16所述的设备,其特征在于,若所述认证应答消息中包含接入有效时间,则所述认证请求模块具体用于,18. The device according to claim 15 or 16, wherein if the authentication response message includes an access valid time, the authentication request module is specifically configured to: 在所述接入有效时间过期之前,重新向所述接入认证服务器发送所述接入认证请求。Before the valid access time expires, resend the access authentication request to the access authentication server. 19.根据权利要求15或16所述的设备,其特征在于,还包括:19. The device according to claim 15 or 16, further comprising: 地址生成模块,用于根据子网前缀和所述EI生成所述源IP地址。An address generating module, configured to generate the source IP address according to the subnet prefix and the EI. 20.一种接入认证服务器,其特征在于,包括:20. An access authentication server, characterized in that, comprising: 第二接收模块,用于接收网络接入设备发送的接入认证请求,所述接入认证请求的源IP地址包含所述网络接入设备的实体标识符EI;The second receiving module is configured to receive an access authentication request sent by the network access device, where the source IP address of the access authentication request includes the entity identifier EI of the network access device; 认证模块,用于根据所述源IP地址中的EI对所述网络接入设备进行认证。An authentication module, configured to authenticate the network access device according to the EI in the source IP address. 21.根据权利要求20所述的服务器,其特征在于,还包括:21. The server according to claim 20, further comprising: 注册模块,用于在认证通过后,生成所述网络接入设备的注册信息,所述注册信息包含所述EI;A registration module, configured to generate registration information of the network access device after the authentication is passed, the registration information including the EI; 第二发送模块,用于向接入控制设备发送所述注册消息,以指示所述接入控制设备允许所述网络接入设备接入网络;A second sending module, configured to send the registration message to an access control device, to instruct the access control device to allow the network access device to access the network; 所述第二接收模块还用于,接收所述接入控制设备返回的注册应答消息;The second receiving module is further configured to receive a registration response message returned by the access control device; 所述第二发送模块还用于,向所述网络接入设备发送认证应答消息,所述认证应答消息包含所述注册消息。The second sending module is further configured to send an authentication response message to the network access device, where the authentication response message includes the registration message. 22.根据权利要求21或22所述的服务器,其特征在于,所述接入认证请求包含私钥对所述接入认证请求的签名,所述认证模块具体用于,22. The server according to claim 21 or 22, wherein the access authentication request includes a signature of a private key on the access authentication request, and the authentication module is specifically used for: 获取所述EI对应的授权信息,所述授权信息包含所述EI和与所述私钥对应的公钥;Obtain authorization information corresponding to the EI, where the authorization information includes the EI and a public key corresponding to the private key; 根据所述授权信息对所述接入认证请求进行验证。Verifying the access authentication request according to the authorization information. 23.根据权利要求21所述的服务器,其特征在于,若所述注册消息包含接入有效时间,则还包括:23. The server according to claim 21, wherein if the registration message includes an access valid time, it further includes: 权限更新模块,用于判断所述网络接入设备是否在所述接入有效时间过期之前重新进行了认证,若未重新认证则向所述接入控制设备发送包含所述EI的权限过期消息,以指示所述接入控制设备拒绝所述网络接入设备接入网络。An authority update module, configured to determine whether the network access device has re-authenticated before the access valid time expires, and if not re-authenticated, send an authority expiration message including the EI to the access control device, to instruct the access control device to reject the network access device from accessing the network. 24.一种接入控制设备,其特征在于,包括:24. An access control device, comprising: 第三接收模块,用于接收接入认证服务器发送的注册信息,所述注册信息包含网络接入设备的实体标识符EI;A third receiving module, configured to receive registration information sent by the access authentication server, where the registration information includes the entity identifier EI of the network access device; 访问控制模块,用于根据所述注册信息生成包含所述EI的访问控制记录,将所述访问控制记录写入访问控制列表以允许所述网络接入设备接入网络;An access control module, configured to generate an access control record containing the EI according to the registration information, and write the access control record into an access control list to allow the network access device to access the network; 第三发送模块,用于向所述接入认证服务器发送注册应答消息。A third sending module, configured to send a registration response message to the access authentication server. 25.根据权利要求24所述的设备,其特征在于,所述第三接收模块还用于,接收所述网络接入设备发送的数据报文,所述数据报文的源IP地址包含所述EI;25. The device according to claim 24, wherein the third receiving module is further configured to receive a data message sent by the network access device, the source IP address of the data message includes the EI; 还包括:Also includes: 报文处理模块,用于查找所述访问控制列表中是否有包含所述EI的访问控制记录,若有则根据所述访问控制记录对所述数据报文进行处理,若没有则丢弃所述数据报文。The message processing module is used to find out whether there is an access control record containing the EI in the access control list, if there is, the data message is processed according to the access control record, and if not, the data is discarded message. 26.根据权利要求25所述的设备,其特征在于,若所述注册信息还包含接入密钥,则26. The device according to claim 25, wherein if the registration information further includes an access key, then 所述访问控制模块具体用于,根据所述注册信息生成包含所述EI和所述接入密钥的访问控制记录;The access control module is specifically configured to generate an access control record containing the EI and the access key according to the registration information; 所述报文处理模块具体用于,根据所述访问控制记录中的所述接入密钥对所述数据报文进行验证,若验证通过则发送所述数据报文,若验证不通过则丢弃所述数据报文。The message processing module is specifically configured to verify the data message according to the access key in the access control record, send the data message if the verification passes, and discard the data message if the verification fails The datagram. 27.根据权利要求25所述的设备,其特征在于,若所述注册信息还包含接入有效时间,则27. The device according to claim 25, wherein if the registration information also includes an access valid time, then 所述访问控制模块具体用于,根据所述注册信息生成包含所述EI和所述接入有效时间的访问控制记录;The access control module is specifically configured to generate an access control record including the EI and the valid access time according to the registration information; 所述报文处理模块具体用于,判断所述接入有效时间是否过期,若未过期则发送所述数据报文,若过期则丢弃所述数据报文。The message processing module is specifically configured to judge whether the access valid time has expired, and if not expired, send the data message, and if expired, discard the data message. 28.根据权利要求27所述的设备,其特征在于,所述第三接收模块还用于,接收所述接入认证服务器发送的包含所述EI的权限过期消息;28. The device according to claim 27, wherein the third receiving module is further configured to receive a permission expiration message including the EI sent by the access authentication server; 所述访问控制模块还用于,根据所述权限过期消息删除包含所述EI的所述访问控制记录。The access control module is further configured to delete the access control record containing the EI according to the permission expiration message. 29.一种接入认证系统,其特征在于,包括:依次连接的如权利要求15~19任一所述的网络接入设备、如权利要求24~28任一所述的接入控制设备和如权利要求20~23任一所述的接入认证服务器。29. An access authentication system, characterized by comprising: the network access device according to any one of claims 15-19, the access control device according to any one of claims 24-28, and The access authentication server according to any one of claims 20-23.
CN201110210884XA 2011-07-26 2011-07-26 Access authentication method, device, server and system Pending CN102255916A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110210884XA CN102255916A (en) 2011-07-26 2011-07-26 Access authentication method, device, server and system
PCT/CN2011/083703 WO2013013481A1 (en) 2011-07-26 2011-12-08 Access authentication method, device, server and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110210884XA CN102255916A (en) 2011-07-26 2011-07-26 Access authentication method, device, server and system

Publications (1)

Publication Number Publication Date
CN102255916A true CN102255916A (en) 2011-11-23

Family

ID=44982912

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110210884XA Pending CN102255916A (en) 2011-07-26 2011-07-26 Access authentication method, device, server and system

Country Status (2)

Country Link
CN (1) CN102255916A (en)
WO (1) WO2013013481A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013013481A1 (en) * 2011-07-26 2013-01-31 中国科学院计算机网络信息中心 Access authentication method, device, server and system
CN103986769A (en) * 2014-05-20 2014-08-13 东南大学 An identification network service access control method
CN104378457A (en) * 2014-11-26 2015-02-25 中国联合网络通信集团有限公司 Method, device and system for distributing IP address
CN105610841A (en) * 2015-12-31 2016-05-25 国网智能电网研究院 User information authentication method based on traceability
CN106330836A (en) * 2015-07-01 2017-01-11 北京京东尚科信息技术有限公司 Access control method for client by server
CN106936685A (en) * 2015-12-30 2017-07-07 航天信息股份有限公司 A kind of means of communication and system based on real-time, interactive
CN107104872A (en) * 2016-02-23 2017-08-29 华为技术有限公司 Access control method, device and system
CN109257343A (en) * 2018-09-05 2019-01-22 沈阳理工大学 A kind of anti-access authentication method of compound dimension based on matrix mapping
CN109525403A (en) * 2018-12-29 2019-03-26 陕西师范大学 A kind of anti-leakage that supporting user's full dynamic parallel operation discloses cloud auditing method
CN110611890A (en) * 2019-09-17 2019-12-24 Oppo广东移动通信有限公司 Notification message control method and related device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101119206A (en) * 2007-09-13 2008-02-06 北京交通大学 Identity-based integrated network terminal unified access control method
CN101145907A (en) * 2006-09-11 2008-03-19 华为技术有限公司 Method and system for realizing user authentication based on DHCP
EP2051432A1 (en) * 2006-08-31 2009-04-22 Huawei Technologies Co., Ltd. An authentication method, system, supplicant and authenticator
CN102065423A (en) * 2010-12-13 2011-05-18 中国联合网络通信集团有限公司 Node access authentication method, access authenticated node, access node and communication system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102255916A (en) * 2011-07-26 2011-11-23 中国科学院计算机网络信息中心 Access authentication method, device, server and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2051432A1 (en) * 2006-08-31 2009-04-22 Huawei Technologies Co., Ltd. An authentication method, system, supplicant and authenticator
CN101145907A (en) * 2006-09-11 2008-03-19 华为技术有限公司 Method and system for realizing user authentication based on DHCP
CN101119206A (en) * 2007-09-13 2008-02-06 北京交通大学 Identity-based integrated network terminal unified access control method
CN102065423A (en) * 2010-12-13 2011-05-18 中国联合网络通信集团有限公司 Node access authentication method, access authenticated node, access node and communication system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DI MA等: "Host-Identifier-Based Scheme for Source Accountability of the Internet", 《12TH IFIP/IEEE IM 2011: MINI CONFERENCE》, 27 May 2011 (2011-05-27), pages 539 - 546, XP032035391, DOI: doi:10.1109/INM.2011.5990557 *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013013481A1 (en) * 2011-07-26 2013-01-31 中国科学院计算机网络信息中心 Access authentication method, device, server and system
CN103986769A (en) * 2014-05-20 2014-08-13 东南大学 An identification network service access control method
CN103986769B (en) * 2014-05-20 2015-01-21 东南大学 Service access control method of identification network
CN104378457A (en) * 2014-11-26 2015-02-25 中国联合网络通信集团有限公司 Method, device and system for distributing IP address
CN106330836A (en) * 2015-07-01 2017-01-11 北京京东尚科信息技术有限公司 Access control method for client by server
CN106936685A (en) * 2015-12-30 2017-07-07 航天信息股份有限公司 A kind of means of communication and system based on real-time, interactive
CN105610841B (en) * 2015-12-31 2020-10-23 国网智能电网研究院 User information authentication method based on traceability
CN105610841A (en) * 2015-12-31 2016-05-25 国网智能电网研究院 User information authentication method based on traceability
CN107104872B (en) * 2016-02-23 2020-11-03 华为技术有限公司 Access control method, device and system
CN107104872A (en) * 2016-02-23 2017-08-29 华为技术有限公司 Access control method, device and system
US11095478B2 (en) 2016-02-23 2021-08-17 Huawei Technologies Co., Ltd. Access control method, apparatus, and system
CN109257343A (en) * 2018-09-05 2019-01-22 沈阳理工大学 A kind of anti-access authentication method of compound dimension based on matrix mapping
CN109257343B (en) * 2018-09-05 2020-11-10 沈阳理工大学 A composite dimension anti-access authentication method based on matrix mapping
CN109525403A (en) * 2018-12-29 2019-03-26 陕西师范大学 A kind of anti-leakage that supporting user's full dynamic parallel operation discloses cloud auditing method
CN109525403B (en) * 2018-12-29 2021-11-02 广州市溢信科技股份有限公司 Anti-leakage public cloud auditing method supporting full-dynamic parallel operation of user
CN110611890A (en) * 2019-09-17 2019-12-24 Oppo广东移动通信有限公司 Notification message control method and related device
CN110611890B (en) * 2019-09-17 2021-07-06 Oppo广东移动通信有限公司 Notification message control method and related device
US12096398B2 (en) 2019-09-17 2024-09-17 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Method for notification message control and related devices

Also Published As

Publication number Publication date
WO2013013481A1 (en) 2013-01-31

Similar Documents

Publication Publication Date Title
CN102255916A (en) Access authentication method, device, server and system
US10924495B2 (en) Verification method, apparatus, and system used for network application access
US11368450B2 (en) Method for bidirectional authorization of blockchain-based resource public key infrastructure
EP2959632B1 (en) Augmenting name/prefix based routing protocols with trust anchor in information-centric networks
US9313085B2 (en) DNS-based determining whether a device is inside a network
US11973617B2 (en) Border gateway protocol (BGP) hijacks prefix signing using public/private keys
CN101667916B (en) A Method of Using Digital Certificates to Authenticate User Identity Based on Separation Mapping Network
WO2010118666A1 (en) Node registration method, routing update method, communication system and related devices
WO2011041967A1 (en) Method for anonymous communication, method for registration, method and system for trasmitting and receiving information
CN111917694B (en) A method and device for identifying TLS encrypted traffic
CN103067337B (en) Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
US8955088B2 (en) Firewall control for public access networks
US11936633B2 (en) Centralized management of private networks
WO2013040957A1 (en) Single sign-on method and system, and information processing method and system
CN101741851A (en) A Token Renewal Method Enhancing Source Address Authenticity Guarantee
WO2013013479A1 (en) Entity identifier allocation system, tracing and authentication method and server
EP2276206B1 (en) A method, device and communication system for managing and inquiring mapping information
CN116711387B (en) Method, device and system for authentication and authorization using edge data network
CN102238148B (en) identity management method and system
CN103634421A (en) Address distribution method and server
WO2023134557A1 (en) Processing method and apparatus based on industrial internet identifier
JP4818186B2 (en) Network system, resource allocation method, and resource allocation program
CN119496837A (en) Network communication method and system based on service access verification
WO2011100876A1 (en) Method and system for implementling detachment process at network side

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20111123